jbit's blog

Sunday, May 10, 2015

Introduction

I bought this cute little router from Yodobashi Camera a few weeks ago for about 2,000JPY. I quite like compact hardware, and this was the smallest Wi-Fi router with four LAN ports that I could find. It works pretty well, but as usual the firmware is horrible and only exposes basic functionality. I haven't checked for security issues, but I wouldn't be surprised if it's full of holes. So I figured this weekend I'd spend some time hacking around with it!Standard Disclaimer: Everything here will void your warranty. Messing around with bootloaders and firmware is a good way to kill your hardware. If you don't know the meaning of "3.3v UART", "initramfs" or "Kernel LZMA loader" then you should probably not try this at home :)

Hardware Investigation

Step one is figuring out what hardware it uses, and evaluating if it's actually decent enough to warrant going any further. I've seen consumer routers with only 2MB of flash and 4MB of RAM, but hopefully this is a bit beefier. (Spoiler: Since I've bothered to write this blog post, you can probably guess the hardware is somewhat decent)

T9 Security Torx Screws and Wrench

My first issue was these stupid "T9 Torx Security" screws that hold the case together. They are just Torx screws with a pin in the middle, which means you can't use a normal Torx wrench. Luckily a shop nearby had a set of security wrenches for 150JPY! There are only two screws under the front rubber feet, so even without the correct tools one could probably coax them out somehow. After removing both screws the top of the case unclips easily and reveals the board. There is a light pipe assembly on the front of the board that is easily removed too.

Okay this looks good! It seems that the RTL8881AN is the main processor, and the RTL8192ER is acting as an auxiliary radio to allow simultaneous 2.4GHz + 5GHz operation.
A bit of googling shows that the RTL8881AN is a SoC based on a Lexra RLX5281 Big-Endian MIPS derivative, with some extensions for efficient network traffic processing.
64MB of RAM is pretty decent for a cheap consumer router, and 8MB of Flash is workable for a small Linux installation.
The unpopulated pin headers are a promising sign for hacking, and on the back of the board there's even silk screen text that labels the Magenta header as "UART"! It's easy to see on the board that Pin2 connects to the ground plane and Pin3/Pin4 traces run to the CPU. Connecting to each pin during boot reveals that Pin3 is TXD, and after some trial and error it can be found that the UART config is 38400 8N1.

So it runs an ancient version of Linux! And BusyBox! Both of these are GPL, so I should be able to go to the vendor site and get the source code and build my own kernel!
Yeah, about that... it turns out it's impossible to find source code on the Elecom, Logitec and Realtek sites. I've fired off some e-mails, but I'm not holding my breath. At least I have a root shell on it, although it seems to be lacking quite a lot of basic commands.
A bit more messing around reveals that entering the bootloader is possible using a couple of methods. Sending "ESC" over the serial line or holding the reset button during boot dumps you to a "<RealTek>" prompt with some interesting commands. Having access to a pre-boot environment makes it a lot safer to play around with. This bootloader actually allows loading a kernel over TFTP into RAM without touching Flash which will make experimenting much easier.

Realtek Bootloader Command Reference

If you type ? at the bootloader prompt you get some basic help, but I had to experiment a little bit to find out the exact operation of each command, so here's a quick reference.

That's enough investigation for now! It looks like getting OpenWRT working on this board should be within the realms of possibility and without too much risk. Right now the main roadblock is finding source code for the kernel and figuring out if it needs customizing (GPIO pinout, antenna setup, etc)